Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Release CF3's support for environment variables and secrets #4149

Merged
merged 14 commits into from
Feb 10, 2022
Merged

Release CF3's support for environment variables and secrets #4149

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
41696b3
Use runtime delegate to parse function triggers in the Functions Emul…
taeold Jan 27, 2022
ac72bf8
Slim down Functions Emulator Runtime (i.e. args sent over to emulated…
taeold Jan 31, 2022
dd8cef8
Merge remote-tracking branch 'origin/master' into cf3-secrets
taeold Jan 31, 2022
8b1a590
Merge branch 'cf3-secrets' of https://github.com/firebase/firebase-to…
taeold Jan 31, 2022
39f2ac7
CF3 Secrets Support (#3959)
taeold Feb 3, 2022
3293186
Add new command (functions:secrets:set) for creating secrets to be us…
taeold Feb 3, 2022
08f2236
Add functions:secrets:{access, destroy, get} commands. (#4026)
taeold Feb 3, 2022
3310fdc
Add command to prune unused secrets (#4108)
taeold Feb 4, 2022
bb51612
Add support for secrets in the Functions Emulator (#4106)
taeold Feb 7, 2022
108beea
Merge branch 'master' of https://github.com/firebase/firebase-tools i…
taeold Feb 8, 2022
ef86cce
Merge branch 'cf3-secrets' of https://github.com/firebase/firebase-to…
taeold Feb 8, 2022
e799549
Remove preview flag, add option to disable dotenv support. (#4022)
taeold Feb 8, 2022
2934f6c
Add EXT_ as a reserved environment variable prefix (#4148)
taeold Feb 9, 2022
0f74941
Merge branch 'master' into cf3-secrets
taeold Feb 10, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
Prev Previous commit
Next Next commit
Add support for secrets in the Functions Emulator (#4106) 
Emulator will now recognize function triggers with secret environments and ensure that secret environment variables are populated in the emulated runtime.

Secrets in Functions Emulator can come from 2 sources:

1) From local override file (`.secret.local`).

2) From Google Cloud Secret Manager. In this case, default application credentials (i.e. credentials used in Firebase CLI) will be used to fetch the secret from GCP.
 
As suspected, (1) take precedence over (2). If accessing secret from GCP fails for any reason, the Emulator logs, but does not throw, the failed attempt and proceeds to execute the functions code.

Some refactoring changes needed to be in the Emulator:

* Some functions turned into async.
* We pass around the whole trigger in more places.
  • Loading branch information
@taeold
taeold committed Feb 7, 2022
commit bb5161223a660bac7afd1f56eb15892e36e12e1c
86 changes: 83 additions & 3 deletions scripts/emulator-tests/functionsEmulator.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,11 @@
import * as fs from "fs";

import { expect } from "chai";
import * as express from "express";
import * as sinon from "sinon";
import * as supertest from "supertest";
import * as winston from "winston";
import * as logform from "logform";

import { EmulatedTriggerDefinition } from "../../src/emulator/functionsEmulatorShared";
import {
Expand All @@ -14,8 +18,7 @@ import { RuntimeWorker } from "../../src/emulator/functionsRuntimeWorker";
import { TIMEOUT_LONG, TIMEOUT_MED, MODULE_ROOT } from "./fixtures";
import { logger } from "../../src/logger";
import * as registry from "../../src/emulator/registry";
import * as winston from "winston";
import * as logform from "logform";
import * as secretManager from "../../src/gcp/secretManager";

if ((process.env.DEBUG || "").toLowerCase().includes("spec")) {
const dropLogLevels = (info: logform.TransformableInfo) => info.message;
Expand Down Expand Up @@ -97,6 +100,23 @@ functionsEmulator.setTriggersForTesting(
httpsTrigger: {},
labels: {},
},
{
platform: "gcfv1",
name: "secrets_function_id",
id: "us-central1-secrets_function_id",
region: "us-central1",
entryPoint: "secrets_function_id",
secretEnvironmentVariables: [
{
projectId: "fake-project-id",
secret: "MY_SECRET",
key: "MY_SECRET",
version: "1",
},
],
httpsTrigger: {},
labels: {},
},
],
testBackend
);
Expand All @@ -112,7 +132,7 @@ function useFunctions(triggers: () => {}): void {
trigger: EmulatedTriggerDefinition,
proto?: any,
runtimeOpts?: InvokeRuntimeOpts
): RuntimeWorker => {
): Promise<RuntimeWorker> => {
return startFunctionRuntime(testBackend, trigger, proto, {
nodeBinary: process.execPath,
serializedTriggers,
Expand Down Expand Up @@ -699,4 +719,64 @@ describe("FunctionsEmulator-Hub", () => {
});
}).timeout(TIMEOUT_MED);
});

describe("secrets", () => {
let readFileSyncStub: sinon.SinonStub;
let accessSecretVersionStub: sinon.SinonStub;

beforeEach(() => {
readFileSyncStub = sinon.stub(fs, "readFileSync").throws("Unexpected call");
accessSecretVersionStub = sinon
.stub(secretManager, "accessSecretVersion")
.rejects("Unexpected call");
});

afterEach(() => {
readFileSyncStub.restore();
accessSecretVersionStub.restore();
});

it("should load secret values from local secrets file if one exists", async () => {
readFileSyncStub.returns("MY_SECRET=local");

useFunctions(() => {
return {
secrets_function_id: require("firebase-functions").https.onRequest(
(req: express.Request, res: express.Response) => {
res.json({ secret: process.env.MY_SECRET });
}
),
};
});

await supertest(functionsEmulator.createHubServer())
.get("/fake-project-id/us-central1/secrets_function_id")
.expect(200)
.then((res) => {
expect(res.body.secret).to.equal("local");
});
}).timeout(TIMEOUT_LONG);

it("should try to access secret values from Secret Manager", async () => {
readFileSyncStub.throws({ code: "ENOENT" });
accessSecretVersionStub.resolves("secretManager");

useFunctions(() => {
return {
secrets_function_id: require("firebase-functions").https.onRequest(
(req: express.Request, res: express.Response) => {
res.json({ secret: process.env.MY_SECRET });
}
),
};
});

await supertest(functionsEmulator.createHubServer())
.get("/fake-project-id/us-central1/secrets_function_id")
.expect(200)
.then((res) => {
expect(res.body.secret).to.equal("secretManager");
});
}).timeout(TIMEOUT_LONG);
});
});